Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
R2n8x3VrH8.dmg
|
zlib compressed data
|
initial sample
|
||
|
/private/tmp/binary
|
Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit x86_64 executable] [arm64]
|
dropped
|
 |
|
|
/Users/bernard/.bash_sessions/06F2F4B9-607D-4378-A15E-4D86AF0A91F0.history
|
ASCII text
|
dropped
|
||
|
/Users/bernard/.bash_sessions/06F2F4B9-607D-4378-A15E-4D86AF0A91F0.historynew
|
ASCII text
|
dropped
|
||
|
/Users/bernard/.bash_sessions/06F2F4B9-607D-4378-A15E-4D86AF0A91F0.session
|
ASCII text
|
dropped
|
||
|
/Users/bernard/.bash_sessions/shlock657
|
ASCII text
|
dropped
|
||
|
/dev/ttys000
|
ASCII text
|
dropped
|
||
|
/private/tmp/xuyna/username
|
ASCII text, with no line terminators
|
dropped
|
||
|
/private/var/run/utmpx
|
data
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32
|
-
|
||
|
/usr/bin/open
|
/usr/bin/open /Volumes/Notion/Notion
|
||
|
/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
|
-
|
||
|
/usr/bin/login
|
login -pf bernard
|
||
|
/usr/bin/login
|
-
|
||
|
/bin/bash
|
-bash
|
||
|
/bin/bash
|
-
|
||
|
/bin/bash
|
-
|
||
|
/usr/libexec/path_helper
|
/usr/libexec/path_helper -s
|
||
|
/bin/bash
|
-
|
||
|
/bin/mkdir
|
mkdir -m 700 -p /Users/bernard/.bash_sessions
|
||
|
/bin/bash
|
-
|
||
|
/bin/bash
|
-
|
||
|
/usr/bin/touch
|
/usr/bin/touch /Users/bernard/.bash_sessions/06F2F4B9-607D-4378-A15E-4D86AF0A91F0.historynew
|
||
|
/bin/bash
|
-
|
||
|
/Volumes/Notion/Notion
|
/Volumes/Notion/Notion
|
||
|
/Volumes/Notion/Notion
|
-
|
||
|
/bin/sh
|
-
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/osascript
|
osascript -e tell application 'Terminal' to close first window
|
||
|
/bin/sh
|
-
|
||
|
/bin/chmod
|
chmod +x /tmp/binary
|
||
|
/bin/sh
|
-
|
||
|
/tmp/binary
|
/tmp/binary
|
||
|
/private/tmp/binary
|
-
|
||
|
/usr/bin/dscl
|
dscl . authonly bernard
|
||
|
/private/tmp/binary
|
-
|
||
|
/usr/bin/osascript
|
osascript -e display dialog 'Required Application Helper. Please enter password:' default answer '' with icon caution buttons
{'Continue'} default button 'Continue' giving up after 150 with title 'Application wants to install helper' with hidden answer
|
||
|
/bin/bash
|
-
|
||
|
/bin/bash
|
-
|
||
|
/bin/bash
|
-
|
||
|
/bin/date
|
/bin/date +%s
|
||
|
/bin/bash
|
-
|
||
|
/bin/bash
|
-
|
||
|
/usr/bin/touch
|
/usr/bin/touch /Users/bernard/.bash_sessions/06F2F4B9-607D-4378-A15E-4D86AF0A91F0.historynew
|
||
|
/bin/bash
|
-
|
||
|
/bin/bash
|
-
|
||
|
/bin/cp
|
/bin/cp /Users/bernard/.bash_history /Users/bernard/.bash_sessions/06F2F4B9-607D-4378-A15E-4D86AF0A91F0.history
|
||
|
/bin/bash
|
-
|
||
|
/bin/bash
|
-
|
||
|
/bin/bash
|
-
|
||
|
/bin/bash
|
-
|
||
|
/bin/cat
|
/bin/cat /Users/bernard/.bash_sessions/06F2F4B9-607D-4378-A15E-4D86AF0A91F0.historynew
|
||
|
/bin/bash
|
-
|
||
|
/bin/bash
|
-
|
||
|
/usr/bin/shlock
|
/usr/bin/shlock -f /Users/bernard/.bash_sessions/_expiration_lockfile -p 635
|
||
|
/bin/bash
|
-
|
||
|
/bin/bash
|
-
|
||
|
/usr/bin/find
|
/usr/bin/find /Users/bernard/.bash_sessions -type f -mtime +2w -print -delete
|
||
|
/bin/bash
|
-
|
||
|
/usr/bin/wc
|
/usr/bin/wc -l
|
||
|
/bin/bash
|
-
|
||
|
/bin/bash
|
-
|
||
|
/usr/bin/touch
|
/usr/bin/touch /Users/bernard/.bash_sessions/_expiration_check_timestamp
|
||
|
/bin/bash
|
-
|
||
|
/bin/rm
|
/bin/rm /Users/bernard/.bash_sessions/_expiration_lockfile
|
||
|
/usr/libexec/xpcproxy
|
-
|
||
|
/usr/libexec/nsurlstoraged
|
/usr/libexec/nsurlstoraged --privileged
|
||
|
/usr/libexec/xpcproxy
|
-
|
||
|
/usr/libexec/firmwarecheckers/eficheck/eficheck
|
/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check-daemon
|
There are 50 hidden processes, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
h3.apis.apple.map.fastly.net
|
151.101.195.6
|
||
|
updates.cdn-apple.com
|
unknown
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
151.101.131.6
|
unknown
|
United States
|
||
|
151.101.195.6
|
h3.apis.apple.map.fastly.net
|
United States
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
126b000
|
page read and write
|
|||
|
1023de000
|
page readonly
|
|||
|
1580000
|
page read and write
|
|||
|
a339000
|
page readonly
|
|||
|
5030000
|
page read and write
|
|||
|
107873000
|
page execute read
|
|||
|
1078f2000
|
page read and write
|
|||
|
1078f7000
|
page read and write
|
|||
|
1023de000
|
page readonly
|
|||
|
c000000000
|
page read and write
|
|||
|
1023de000
|
page readonly
|
|||
|
1078f2000
|
page read and write
|
|||
|
107873000
|
page execute read
|
|||
|
1600000
|
page read and write
|
|||
|
10792b000
|
page readonly
|
|||
|
10792b000
|
page readonly
|
|||
|
2c06000
|
page read and write
|
|||
|
101eb2000
|
page execute read
|
|||
|
1078f2000
|
page read and write
|
|||
|
12ab000
|
page read and write
|
|||
|
1023da000
|
page read and write
|
|||
|
1023f2000
|
page read and write
|
|||
|
122b000
|
page read and write
|
|||
|
129b000
|
page read and write
|
|||
|
11ab000
|
page read and write
|
|||
|
1078f7000
|
page read and write
|
|||
|
101eb2000
|
page execute read
|
|||
|
3a4e2000
|
page read and write
|
|||
|
1000000
|
page execute read
|
|||
|
10792b000
|
page readonly
|
|||
|
101eb2000
|
page execute read
|
|||
|
128b000
|
page read and write
|
|||
|
a281000
|
page execute read
|
|||
|
1a4e2000
|
page read and write
|
|||
|
1078f7000
|
page read and write
|
|||
|
1023da000
|
page read and write
|
|||
|
107873000
|
page execute read
|
|||
|
1023f2000
|
page read and write
|
|||
|
1023f2000
|
page read and write
|
|||
|
121e000
|
page read and write
|
|||
|
1023da000
|
page read and write
|
|||
|
11b4000
|
page read and write
|
|||
|
11e6000
|
page readonly
|
|||
|
a300000
|
page read and write
|
|||
|
9000000
|
page read and write
|
|||
|
a305000
|
page read and write
|
There are 36 hidden memdumps, click here to show them.